Chairman of the Board

Decision No. (729) of 2016

Dated: 28/8/2016

Regarding Technological Controls and Information Security Rules Related to

the Issuance and Distribution by Insurance Companies of Certain Standard Insurance Policies Electronically

via Information Systems Networks

Chairman of the Egyptian Financial Supervisory Authority

Having reviewed Law No. 10 of 1981 Issuing the Law on Supervision and Control of Insurance in Egypt, and its Executive Regulations and amendments, and Law No. 15 of 2004 Regarding the Regulation of Electronic Signatures in Egypt, and Law No. 10 of 2009 Regulating Supervision over Non-Banking Financial Markets and Instruments, and the Statutes of the Egyptian Financial Supervisory Authority issued by Presidential Decree No. 192 of 2009, and the memorandum of Mr. Advisor, Vice President of the State Council and Legal Advisor to the Authority dated 1/9/2015, and Decision No. (122) of 2015 of the Authority's Board of Directors Regarding the Regulation of the Issuance and Distribution by Insurance Companies of Certain Standard Insurance Policies Electronically via Information Systems Networks.

---

(Article One)

Insurance companies approved by the Authority to issue standard insurance policies electronically via the company's information systems, and allowing the policy to be printed and distributed by the insured directly or by one of the entities approved by the Authority, all in accordance with Decision No. (122) of 2015, shall comply with the technological controls and information security rules set forth in this Decision.

(Article Two)

This Decision shall be published in Al-Waqai' Al-Masriya and on the Authority's website, and shall take effect from the day following its publication. It shall be communicated to the concerned departments for implementation.

Chairman of the Authority
Sherif Samy

---

Egyptian Financial Supervisory Authority
Egyptian Financial Supervisory Authority

Chairman of the Board

---

Technological Controls and Information Security Rules Related to

the Issuance and Distribution by Insurance Companies of Certain Standard Insurance Policies Electronically via Information Systems Networks

First: Technological Infrastructure

The insurance company's information center shall be located within the borders of the Arab Republic of Egypt and subject to its laws. The company may resort to third-party hosting services provided by entities approved by the Authority in accordance with Chairman's Decision No. 366 of 2014, or with the company's main shareholder outside Egypt, provided it is an insurance company or one of its subsidiaries, or with other specialized companies with a track record in the field, subject to the Authority's approval. The hosting service provider must be approved by the Authority.

1. Communication Means

All communication means used must be licensed by the National Telecom Regulatory Authority.

2. Central Servers and Operating Systems

The insurance company shall be committed to using central server devices that meet, as a minimum, the following:

a. An independent server device operating as a database server (whether a physical Physical Database Server)
or using a virtual (Virtual) environment.

b. An independent server device operating as an application server (whether a physical Physical Application Server)
or using a virtual (Virtual) environment.

c. The specifications of those servers must meet the minimum hardware and software requirements necessary to operate electronic issuance and distribution services for insurance policies and store their data.

d. All electronic software used in these servers must be licensed and updated.

e. They must provide the minimum required level of high availability (High Availability) at a rate of not less than 95%.

In the event the company wishes to use a virtual environment, it must include an information security system that allows separation between servers using information security policies and rules.

---

Egyptian Financial Supervisory Authority
Egyptian Financial Supervisory Authority

Chairman of the Board

---

3. Information Protection and Security

The company shall provide the necessary technological infrastructure for its information security (or that of the hosting provider) in accordance with the following controls:

a. Installation of a firewall system to secure communication networks within the company and between the company and other entities distributing policies, which may be implemented through multiple exits for the same firewall.

b. Provision of a network protection system according to the services requiring protection (e.g., an Intrusion Prevention System (IPS)).

c. Conducting periodic maintenance of network and information security devices, adhering to appropriate configuration rules and continuously updating them (Configuration Rules).

d. Equipping all computing devices connected to the company's network (personal, portable, or servers) with antivirus and antimalware software, subject to continuous updates.

e. Implementing a monitoring and access control system for the central server room (Data Center) from both inside and outside.

f. Notifying the Authority in the event of any security incidents occurring at the level of the information infrastructure and the systems operating on it, along with the measures taken regarding them.

g. In the event the company's website on the Internet is used to issue and print insurance policies, this website must be secured using an SSL electronic security certificate (Website Digital Certificate).

h. If the insurance company wishes to implement an electronic signature system compatible with the conditions and requirements of the Information Technology Industry Development Agency (ITIDA), and for email correspondence with customers to have legal probative value, the company must apply an electronic signature and its attachments using an electronic signature certificate.

Second: Technical Specifications of the Information System (Applications)

1. Information System

The insurance company shall provide a complete and secure information system to register and process customer data through direct interaction with the customer or via the policy distribution entity. The system shall consist of applications and databases specific to all transactions on standard insurance products stipulated in Decision No. 122 of 2015.

---

Egyptian Financial Supervisory Authority
Egyptian Financial Supervisory Authority

Chairman of the Board

---

In all cases, the insurance company must comply with the following:

a. Not retaining customer data with the policy distribution entity (data registration and retention in the database shall be solely with the insurance company).

b. Electronic storage by the company of the complete policy data and its terms (avoiding cases where only customer data and the remainder of the policy table data are stored, with reference to template terms that can be modified later).

c. The policy data displayed on the screen and printed copies must match the data specified by the Authority.

d. The system must include a distinctive mark or symbol for mandatory fields, linked to alert messages that inform the user when field data is incompatible with the nature of the field.

e. The system must issue a unique number for each policy, which must be sequential and non-repetitive. This is in addition to the Policy Number.

f. The policy shall not be issued nor assigned a number until all data is entered and a printable page is displayed to the customer for review, containing all entered data and all policy terms. The user shall then have the option to confirm acceptance of the policy issuance or reject it through the permissions granted to the user.

g. The system must prevent any modification to any record, data, or information after the policy is issued. The policy can be cancelled without deleting it from the system of policies, indicating it is cancelled in the company's database under the same policy number.

h. The system must allow the customer to view and print the policy terms at any stage of registration, review, or after the policy issuance.

2. User Access Security

a. The system must prevent the same username from logging in more than once simultaneously or opening more than one session using the same username at the same time.

b. The system must allow for an unintended disconnection of the customer from the policy distribution entity (Inactive Session) for more than 20 minutes, after which it must require re-entry of verification data.

c. The system must allow the customer or the policy distribution entity to change their password themselves at any time. The system must also force the user to change the password upon first use in case the password was issued or changed previously by the insurance company itself, following established password creation rules to make it difficult to deduce or identify (e.g., at least 8 characters and numbers), and it must contain symbols and not be easily deducible or guessable.

---

Egyptian Financial Supervisory Authority
Egyptian Financial Supervisory Authority

Chairman of the Board

---

d. In the event of direct customer interaction with the company, the customer may register a new account on the company's website

for the company, subject to customer verification via an email to verify identity or an SMS sent to a mobile number specified by the customer.

e. In cases of direct interaction between the customer and the company, i.e., no distribution entity involved – in cases permitted by Decision No. 122 of 2015, employees of the entity cannot register themselves directly on the insurance company's system or website. Instead, an electronic account must be opened for them through the company. The company is responsible for securing the passwords it issues to any of them.

f. In the event of multiple users at the distribution entity, the insurance company must create a separate account for each user. The intermediary must also notify the insurance company of any changes to the users of the company's system.

g. The system must force all users to change their password at least every 90 days.

h. The company's system must record the user's IP address upon login.

Third: General Controls

1. Time Synchronization

The insurance company shall synchronize the time of all information systems, devices on which these systems are installed, and all information security networks to a single time, for example, the time of the Arab Republic of Egypt.

2. Logging and Record Retention

The insurance company shall comply with the following:

a. Logging all activities occurring on all devices and systems (System Logs, Security Logs, and Application Logs) including auxiliary devices (computers, network devices, information security devices).

b. Logging all login and logout attempts from the system by the customer / policy distribution entity / company employees – (successful or failed), and the log must include the unique "Session ID".

c. Logging the data of the user performing the data entry.

1. In the case of direct interaction with the customer, the system shall log the username of the person performing the data entry.

---

Egyptian Financial Supervisory Authority
Egyptian Financial Supervisory Authority

Chairman of the Board

---

2. In the case of interaction with a policy distribution entity, the system must log the entity's name and the username of the person performing the entry, and such data must be tamper-proof.

d. The system must maintain independent logs for the following operations:

1. Logging in and out of the system (Login, Logoff)

2. The electronic form for policy issuance request (Form Submission)

All logs referred to in this Decision must be retained for a period of not less than five years. In the event of a dispute with a customer, the company is committed to retaining all logs until the dispute is resolved or a final judicial ruling is issued.

3. Backups

The insurance company shall maintain backups of all data referred to in this Decision, ensuring the ability to restore such data when needed. Additional copies of the referred backups shall be stored at an alternative site, ensuring the adoption and application of a clear, written policy for backup sequencing and retention period.

4. Privacy

Customer data shall be used solely for the purpose for which it was provided, protecting customer privacy and not making personal data available for any marketing purposes via phone or electronic contact or to the policy or its issuer, and not making such data available to any other party.

---

Egyptian Financial Supervisory Authority
Egyptian Financial Supervisory Authority

Chairman of the Board

Egyptian Financial Supervisory Authority
Egyptian Financial Supervisory Authority

Chairman of the Board

Smart Village, Building 15-B
Km 28, Cairo-Alexandria Desert Road
Giza Governorate, Postal Code: 12577
Tel: (+202) 25370040 - Fax: (+202) 25315323
Email: info@efsa.gov.eg
Website: www.efsa.gov.eg